User Manual — Back to Kubernetes Service Discovery Back to Service Discovery Back to User Manual
This guide explains the Kubernetes service discovery feature from the beginning. It shows how to create a small DocumentDB cluster in Kubernetes, how the VS Code extension discovers it, and how to test the full flow locally and in Azure Kubernetes Service (AKS).
Use this guide when you want to:
This guide is for development and validation. For production AKS clusters, use your team’s normal security, networking, identity, backup, monitoring, and change-management standards.
Kubernetes is a system that runs containers. A Kubernetes cluster contains:
A kubeconfig file tells tools such as kubectl and the VS Code extension how to reach Kubernetes clusters. It usually contains:
The extension can read the default kubeconfig from KUBECONFIG or the Kubernetes default kubeconfig path (~/.kube/config on macOS/Linux, %USERPROFILE%\.kube\config on Windows), a custom kubeconfig file, or pasted kubeconfig YAML stored in VS Code Secret Storage.
The DocumentDB Kubernetes Operator manages DocumentDB clusters inside Kubernetes. In this feature, the operator is important because it creates Kubernetes resources that the extension can understand:
DocumentDB custom resource
-> backing Kubernetes Service
-> ready pod endpoint
-> credential Secret
The extension discovers operator-managed resources first. If the operator CRD is not installed, the extension can fall back to generic Kubernetes Services that opt in or expose known DocumentDB-compatible ports.
The extension does not ask you to manually build a connection string. Instead, it uses Kubernetes APIs to find DocumentDB-compatible targets:
VS Code
-> DocumentDB extension
-> Service Discovery tree
-> Kubernetes provider
-> kubeconfig source
-> context
-> namespace
-> DocumentDB target
When you connect to a discovered target, two authentication layers are involved:
Layer 1: Kubernetes access
Used by the extension to list namespaces, Services, endpoints, Secrets, and DKO resources.
Comes from kubeconfig.
Layer 2: DocumentDB database access
Used by the extension to authenticate to DocumentDB itself.
Usually comes from a Kubernetes Secret created for the DocumentDB cluster.
For ClusterIP Services, the database is only reachable inside the Kubernetes cluster. The extension handles that by starting a local port-forward tunnel:
DocumentDB extension
-> Kubernetes API pods/portforward
-> ready DocumentDB pod in the cluster
-> local connection string such as mongodb://127.0.0.1:10260/
Both the local and Azure paths create the same basic lab shape:
Kubernetes cluster
namespace: documentdb-ns
Secret: documentdb-credentials
username
password
DocumentDB custom resource: my-documentdb
nodeCount: 1
instancesPerNode: 1
exposeViaService: ClusterIP
Service: documentdb-service-my-documentdb
port: 10260
The extension should discover my-documentdb, resolve credentials from documentdb-credentials, start a port-forward tunnel for the ClusterIP Service, and create a normal saved connection in the Connections view.
Install these tools before starting:
| Tool | Why you need it |
|---|---|
| VS Code | Runs and tests the extension. |
| Node.js and npm | Builds the extension. |
| Docker or Colima | Runs the local kind cluster. |
kubectl |
Talks to Kubernetes clusters. |
kind |
Creates a local Kubernetes cluster in Docker. |
helm |
Installs cert-manager and the DocumentDB Kubernetes Operator. |
mongosh |
Optional manual database connectivity test. |
Azure CLI az |
Required only for the AKS path. |
On macOS, the local setup script can install Docker CLI, Colima, kubectl, kind, and helm with Homebrew if they are missing.
Use this path for the fastest developer loop. It creates a disposable local Kubernetes cluster named documentdb-dev.
From the repository root:
./scripts/k8s-test-setup.sh
The script does the following:
documentdb-dev.documentdb-ns.documentdb-credentials.DocumentDB custom resource named my-documentdb.The resulting kubeconfig context is:
kind-documentdb-dev
The sample local credentials are printed by the script and are intended only for a disposable local test cluster.
If you have the DocumentDB Kubernetes Operator repository checked out next to this repository as ../dko, you can also use the DKO repository’s local development deployment script:
operator/src/scripts/development/deploy.shFrom the DKO repository’s operator/src directory:
cd ../dko/operator/src
DEPLOY=true DEPLOY_CLUSTER=true ./scripts/development/deploy.sh
This DKO script builds the local operator images, creates or reuses a kind Kubernetes cluster with a local registry, installs cert-manager, installs the operator, deploys a sample DocumentDB cluster, and prints follow-up health and connection commands.
Use this script when you need to validate the operator development workflow itself. Use ./scripts/k8s-test-setup.sh from this repository when you only need a ready local cluster for testing the VS Code extension discovery feature.
Use the manual steps if you are not on macOS, want to understand each resource, or need to adjust the cluster.
Create the kind cluster:
kind create cluster --name documentdb-dev --image kindest/node:v1.35.0
kubectl config use-context kind-documentdb-dev
Install cert-manager:
helm repo add jetstack https://charts.jetstack.io 2>/dev/null || true
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true \
--wait
Install the DocumentDB Kubernetes Operator:
helm repo add documentdb https://documentdb.github.io/documentdb-kubernetes-operator 2>/dev/null || true
helm repo update
helm install documentdb-operator documentdb/documentdb-operator \
--namespace documentdb-operator \
--create-namespace \
--wait
Create a namespace, credentials Secret, and DocumentDB cluster:
kubectl apply -f - <<'EOF'
apiVersion: v1
kind: Namespace
metadata:
name: documentdb-ns
---
apiVersion: v1
kind: Secret
metadata:
name: documentdb-credentials
namespace: documentdb-ns
type: Opaque
stringData:
username: dev_user
password: DevPassword123
---
apiVersion: documentdb.io/preview
kind: DocumentDB
metadata:
name: my-documentdb
namespace: documentdb-ns
spec:
nodeCount: 1
instancesPerNode: 1
documentDbCredentialSecret: documentdb-credentials
resource:
storage:
pvcSize: 10Gi
exposeViaService:
serviceType: ClusterIP
EOF
Wait for the custom resource to become healthy:
kubectl wait --for=jsonpath='{.status.phase}'='Cluster in healthy state' \
documentdb/my-documentdb \
--namespace documentdb-ns \
--timeout=300s
Inspect the result:
kubectl get documentdb -n documentdb-ns
kubectl get pods -n documentdb-ns
kubectl get services -n documentdb-ns
kubectl get secret documentdb-credentials -n documentdb-ns
You should see a DocumentDB resource named my-documentdb, at least one ready pod, and a Service named documentdb-service-my-documentdb.
Use this path when you want to test the same extension flow against a real Azure-hosted Kubernetes cluster.
The commands below create a small dev/test AKS cluster. They intentionally keep the DocumentDB Service as ClusterIP, so the database is reached through Kubernetes port-forwarding rather than a public load balancer.
The DKO repository owns the AKS deployment automation for DocumentDB on Kubernetes:
documentdb-playground/aks-setup/README.mddocumentdb-playground/aks-setup/scripts/create-cluster.shdocumentdb-playground/aks-setup/scripts/test-connection.shdocumentdb-playground/aks-setup/scripts/delete-cluster.shIf you have the DKO repository checked out next to this repository as ../dko, the fastest AKS path is:
cd ../dko/documentdb-playground/aks-setup/scripts
az login
./create-cluster.sh --install-all
./test-connection.sh
The DKO AKS script creates an AKS Kubernetes cluster, configures Azure storage and load balancing, installs cert-manager and the DocumentDB Kubernetes Operator, deploys a sample DocumentDB instance, and configures kubeconfig. The test script checks the DocumentDB resource status, Service, credentials Secret, and database connectivity.
Run the cleanup script when you finish testing:
./delete-cluster.sh --delete-all
The manual AKS steps below are useful when you want to understand or customize each command before running the DKO automation.
az login
LOCATION=eastus
RESOURCE_GROUP=rg-documentdb-k8s-dev
AKS_NAME=aks-documentdb-dev
Create the resource group:
az group create \
--name "$RESOURCE_GROUP" \
--location "$LOCATION"
For a development cluster, this Standard AKS command is a practical baseline:
az aks create \
--resource-group "$RESOURCE_GROUP" \
--name "$AKS_NAME" \
--location "$LOCATION" \
--node-count 2 \
--node-vm-size Standard_D4ds_v5 \
--network-plugin azure \
--network-plugin-mode overlay \
--network-dataplane cilium \
--enable-managed-identity \
--generate-ssh-keys
Notes:
Standard_D4ds_v5 is a reasonable dev/test node size. Avoid burstable B-series nodes for this workload.--network-dataplane cilium, update the Azure CLI or remove that line for the lab cluster.Download the kubeconfig entry:
az aks get-credentials \
--resource-group "$RESOURCE_GROUP" \
--name "$AKS_NAME" \
--overwrite-existing
Confirm that kubectl can reach the cluster:
kubectl get nodes
kubectl config current-context
helm repo add jetstack https://charts.jetstack.io 2>/dev/null || true
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true \
--wait
helm repo add documentdb https://documentdb.github.io/documentdb-kubernetes-operator 2>/dev/null || true
helm repo update
helm install documentdb-operator documentdb/documentdb-operator \
--namespace documentdb-operator \
--create-namespace \
--wait
Verify the operator:
kubectl get pods -n documentdb-operator
kubectl get crd | grep documentdb
Use a development password that is not reused anywhere else. Do not commit real secrets.
kubectl apply -f - <<'EOF'
apiVersion: v1
kind: Namespace
metadata:
name: documentdb-ns
---
apiVersion: v1
kind: Secret
metadata:
name: documentdb-credentials
namespace: documentdb-ns
type: Opaque
stringData:
username: dev_user
password: ReplaceWithADevOnlyPassword
---
apiVersion: documentdb.io/preview
kind: DocumentDB
metadata:
name: my-documentdb
namespace: documentdb-ns
spec:
nodeCount: 1
instancesPerNode: 1
documentDbCredentialSecret: documentdb-credentials
resource:
storage:
pvcSize: 10Gi
exposeViaService:
serviceType: ClusterIP
EOF
Wait and inspect:
kubectl wait --for=jsonpath='{.status.phase}'='Cluster in healthy state' \
documentdb/my-documentdb \
--namespace documentdb-ns \
--timeout=600s
kubectl get documentdb,pods,services -n documentdb-ns
If the wait times out, inspect events and operator logs:
kubectl describe documentdb my-documentdb -n documentdb-ns
kubectl get events -n documentdb-ns --sort-by=.lastTimestamp
kubectl logs -n documentdb-operator deploy/documentdb-operator
This test proves the Kubernetes cluster and DocumentDB deployment work before you involve the VS Code extension.
Find a ready pod:
kubectl get pods -n documentdb-ns
Start a port-forward from your terminal. Replace <ready-pod-name> with the pod name from the previous command:
kubectl port-forward pod/<ready-pod-name> 10260:10260 -n documentdb-ns
In another terminal, connect with mongosh:
mongosh 'mongodb://dev_user:<password>@127.0.0.1:10260/?directConnection=true&authMechanism=SCRAM-SHA-256&tls=true&tlsAllowInvalidCertificates=true&replicaSet=rs0'
For the local setup script, the sample password is DevPassword123. For AKS, use the development password you put in the Secret.
Run a quick smoke test in mongosh:
show dbs
use smoke
db.items.insertOne({ source: "kubernetes-discovery-lab", createdAt: new Date() })
db.items.find()
Stop the manual port-forward with Ctrl+C after the test. The VS Code extension starts its own port-forward when it connects to a ClusterIP Service.
From the repository root:
npm install
npm run build
npm run webpack-dev
Open the repository in VS Code and press F5 to launch an Extension Development Host.
In the Extension Development Host:
kind-documentdb-dev,az aks get-credentials.documentdb-ns.my-documentdb or documentdb-service-my-documentdb appears as a DocumentDB target.Expected tree shape:
Service Discovery
Kubernetes
Default kubeconfig
kind-documentdb-dev
documentdb-ns
my-documentdb [DKO] [ClusterIP :10260]
The exact label may include provider, region, service type, or port details.
Use either flow:
For a ClusterIP Service, the extension asks for a local port. Use 10260 if it is free, or choose another local port.
Expected behavior:
127.0.0.1:<localPort>.documentdb-credentials.After adding the connection:
kubectl port-forward; the extension tunnel is separate.Expected behavior:
The DKO path is the primary path. You can also verify generic Kubernetes Service discovery by creating a Service that opts in explicitly.
First inspect the labels on the ready DocumentDB pods:
kubectl get pods -n documentdb-ns --show-labels
Then create a generic Service whose selector matches those ready pods. The example below is a template: replace <label-key> and <label-value> with a real label key/value pair from the previous command before applying it.
kubectl apply -f - <<'EOF'
apiVersion: v1
kind: Secret
metadata:
name: generic-documentdb-credentials
namespace: documentdb-ns
type: Opaque
stringData:
username: dev_user
password: DevPassword123
---
apiVersion: v1
kind: Service
metadata:
name: generic-documentdb-target
namespace: documentdb-ns
annotations:
documentdb.vscode.extension/discovery: "true"
documentdb.vscode.extension/credential-secret: generic-documentdb-credentials
spec:
type: ClusterIP
selector:
<label-key>: <label-value>
ports:
- name: documentdb
protocol: TCP
port: 10260
targetPort: 10260
EOF
Refresh the Kubernetes discovery tree. The generic Service should appear if its selector points to ready DocumentDB pods. If it does not appear, check the Service selector and endpoints:
kubectl describe service generic-documentdb-target -n documentdb-ns
kubectl get endpoints generic-documentdb-target -n documentdb-ns
| Symptom | What it usually means | How to check |
|---|---|---|
| Kubernetes source fails to load | kubeconfig is missing, invalid, or points to an unreachable cluster. | kubectl config current-context; kubectl get namespaces |
| Context appears but namespace loading fails | Kubernetes identity lacks namespaces list. |
Ask for RBAC or use an admin/dev kubeconfig. |
| Namespace appears but no DocumentDB target appears | DKO resource is not healthy, Service is missing, or generic Service does not opt in. | kubectl get documentdb,services -n documentdb-ns |
| DKO discovery returns an RBAC error | The identity cannot list documentdb.io dbs resources. |
kubectl auth can-i list dbs.documentdb.io -n documentdb-ns |
| Credentials are not auto-filled | Secret is missing, has different keys, or Kubernetes identity cannot get Secrets. |
kubectl get secret documentdb-credentials -n documentdb-ns; kubectl auth can-i get secrets -n documentdb-ns |
| Port-forward fails | No ready endpoint, local port in use, or missing pods/portforward create. |
kubectl get endpoints -n documentdb-ns; kubectl auth can-i create pods/portforward -n documentdb-ns |
| AKS nodes are stuck or pods are pending | VM quota, storage, image pull, or scheduling issue. | kubectl describe pod <pod> -n documentdb-ns; az aks show --resource-group "$RESOURCE_GROUP" --name "$AKS_NAME" |
./scripts/k8s-test-teardown.sh
or:
kind delete cluster --name documentdb-dev
To stop paying for the AKS lab and its related resources:
az group delete \
--name "$RESOURCE_GROUP" \
--yes
If you want to keep the resource group but remove only the cluster:
az aks delete \
--resource-group "$RESOURCE_GROUP" \
--name "$AKS_NAME" \
--yes
Use this checklist before asking someone else to review the feature:
kubectl get nodes works for the selected context.kubectl get documentdb -n documentdb-ns shows my-documentdb.kubectl get service -n documentdb-ns shows documentdb-service-my-documentdb.kubectl port-forward plus mongosh works.